Thread (107 messages) 107 messages, 7 authors, 2020-04-08

Re: [RFC PATCH v9 01/27] Documentation/x86: Add CET description

From: Andy Lutomirski <luto@amacapital.net>
Date: 2020-03-09 20:16:20
Also in: linux-arch, linux-doc, linux-mm, lkml

On Mar 9, 2020, at 12:50 PM, H.J. Lu [off-list ref] wrote:

On Mon, Mar 9, 2020 at 12:35 PM Dave Hansen [off-list ref] wrote:
quoted
quoted
On 3/9/20 12:27 PM, Yu-cheng Yu wrote:
On Mon, 2020-03-09 at 10:21 -0700, Dave Hansen wrote:
quoted
On 3/9/20 10:00 AM, Yu-cheng Yu wrote:
quoted
On Wed, 2020-02-26 at 09:57 -0800, Dave Hansen wrote>>>>> +Note:
quoted
quoted
+  There is no CET-enabling arch_prctl function.  By design, CET is
+  enabled automatically if the binary and the system can support it.
This is kinda interesting.  It means that a JIT couldn't choose to
protect the code it generates and have different rules from itself?
JIT needs to be updated for CET first.  Once that is done, it runs with CET
enabled.  It can use the NOTRACK prefix, for example.
Am I missing something?

What's the direct connection between shadow stacks and Indirect Branch
Tracking other than Intel marketing umbrellas?
What I meant is that JIT code needs to be updated first; if it skips RETs,
it needs to unwind the stack, and if it does indirect JMPs somewhere it
needs to fix up the branch target or use NOTRACK.
I'm totally lost.  I think we have very different models of how a JIT
might generate and run code.

I can totally see a scenario where a JIT goes and generates a bunch of
code, then forks a new thread to go run that code.  The control flow of
the JIT thread itself *NEVER* interacts with the control flow of the
program it writes.  They never share a stack and nothing ever jumps or
rets between the two worlds.

Does anything actually do that?  I've got no idea.  But, I can clearly
see a world where the entirety of Chrome and Firefox and the entire rust
runtime might not be fully recompiled and CET-enabled for a while.  But,
we still want the JIT-generated code to be CET-protected since it has
the most exposed attack surface.

I don't think that's too far-fetched.
CET support is all or nothing.   You can mix and match, but you will get
no CET protection, similar to NX feature.
Can you explain?

If a program with the magic ELF CET flags missing can’t make a thread with IBT and/or SHSTK enabled, then I think we’ve made an error and should fix it.
-- 
H.J.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help